Your customers and participants trust you with their personal information in order to receive great experiences, whether it is a small meeting, a company kickoff or a large conference. With the General Data Protection Regulation (GDPR) which came into force on May 25, 2018, the goal is to give each individual more control of their own personal information. Be sure that we are taking processing of personal information extremely seriously, and we want to offer tips on how you can do it too. You should not rely on this document for your GDPR compliance, but confer with legal counsel to make sure your usage of Qondor is GDPR compliant. Anyways, here are some important points you need to consider.

All links in this document points to a neat online version created by Intersoft Consulting for readability: https://gdpr-info.eu/. 

The actual official EU page conserning GDPR can be found at http://eur-lex.europa.eu. (where it is translated to multiple languages). 

Your company needs to have a Data Processing Agreement with us. The Data Processing Agreement describes how we process personal information as data processors, and how our relation with you (the data controllers) are. 

From article 4 of GDPR:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

So, all information collected on participants in Qondor is considered personal information.

Be sure to inform all participants how you use their personal information, how long you will be using it and who you will share the information with upon registration. Be sure to read GDPR Article 13 and Article 14 about the information required to your participants. It is also important to consider which information should be visible on booking confirmations. 

Many project managers are sending participants lists in unprotected Excel spreadsheets to suppliers. Spreadsheets with attendee information will not explicitly be forbidden after GDPR comes into effect, but it will be much harder to:

We have added functionality for secure attendee list sharing, which is explained here.

You need a legal basis for processing personal information, which can be

It is important that you do not collect personal information that you do not need from the attendees (Article 5). 

When you are importing participants in Qondor (for invitations or name reporting), be aware that you may be a data processor to your customer and not a data controller. Be sure to include information on how invited participants can unsubscribe to the invitation if applicable. 

Consider the scenarios for how long you need to store the data. Before May 25, 2018, Qondor introduced retention policy settings for automatic anonymisation of participant's personal data on closed projects. 

We have increased security options for users, and we never give out account information nor do we provide users with passwords. 

All information on a participant can be exported to a machine readable format (Excel). All prior versions of bookings are available as PDF documents, and you are able to extract a transaction overview in case of payments. Use 'Participant search' on your homepage to find participants. Read more on Access in Arcticle 15 and on Portability in Article 20.

Participants can either modify their own personal information or a Project Manager may do it upon request. For Customer/Supplier contact persons a Project Manager can modify their information from the Customer/Supplier sections in Qondor by search on contact persons.

According to Article 17 a data subject has the right to be forgotten. If you need to completely erase a data subject in Qondor, you need to email the request to support@qondor.com. As erasure of data is a one way street, we need to make sure that the request is from an office admin role or above.